Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re^5: filter tcpdump packets

by Anonymous Monk
on Sep 03, 2014 at 11:23 UTC ( [id://1099389]=note: print w/replies, xml ) Need Help??


in reply to Re^4: filter tcpdump packets
in thread filter tcpdump packets

Difference between -R and -Y.

As far as I can tell this also depends on the version of tshark you're using, in newer versions use -Y, older versions -R. For the exact meaning of those options see the tshark manpage. I'm guessing you haven't read that page yet, since then you would know the answer to your next questions is that -Y is the display filter, so you can use that to apply the filters on tcp.options.mss_val, tcp.flags, and icmp.type that you are asking about.

In a captured frame, there are protocols like "eth(0):ip(0):gre:eth(1):ip(1):tcp"

I'm not quite sure what you mean - could you show some of the actual tshark output you're having a problem with? If I'm understanding your sample output, $src_addr contains the string "1.1.1.1,2.2.2.2"??

Replies are listed 'Best First'.
Re^6: filter tcpdump packets
by syboar (Novice) on Sep 04, 2014 at 15:47 UTC
    		[reply]

        So apparently you've got MPLS GRE encapsulated packets, googling that doesn't bring up a quick answer. Perhaps another monk who's worked with it before knows more about it, or you could try asking on a Wireshark help forum, since you can apply any Wireshark filters with tshark. Or you may end up having to dig into the packet manually....

    		[reply]

        Although in this case your post gives enough information to figure out the apparent issue, showing the code you're running generally helps too. See How do I post a question effectively?

        Also, what was meant with "the actual tshark output" is the following:

        If your code is this:

        my @cmd = ('tshark','-r',$PCAPFILE,
    qw# -R tcp.options.mss -T fields -e ip.src -e tcp.srcport
    -e ip.dst -e tcp.dstport -e tcp.options.mss_val #);
open my $ts, '-|', @cmd or die "Error opening pipe: $!";

        [download]

        Then please show the output of the following (replacing $PCAPFILE with the actual filename of course):

        ## from your command line
$ tshark -r $PCAPFILE -R tcp.options.mss -T fields -e ip.src \
  -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.options.mss_val

        [download]

        That way we know what the input to Perl looks like.

        Although admittedly, in this case, the frame dump actually gave the most important hint as to what's going on (MPLS GRE).

    		[reply]
    [d/l]
    [select]
    Re^6: filter tcpdump packets
    by Anonymous Monk on Sep 03, 2014 at 15:54 UTC

      (1). If possible can you please explain what it means

      "to be applied during the first pass of analysis. Packets not matching the filter are not considered for future passes. Only makes sense with multiple passes, see -2."

      "Note that forward-looking fields such as 'response in frame #' cannot be used with this filter, since they will not have been calculate when this filter is applied."

      (2). How to apply a filter to display frames related only to

      tcp.options.mss_val==1500

      instead of applying filter

      tcp.options.mss_val

      This didn't work  -z tcp.oprions.mss_val==1500

      (3). Here is the frame that includes bunch of protocols captured in Frame 3. With

       print "$src_addr:$src_port -> $dst_addr:$dst_port  MSS=$mss\n";

      we have output

      1.1.1.1,2.2.2.2:xxxxx -> 3.3.3.3:yyyyy MSS=zzzzz

      How can I differentiate different source address ipv4, ipv6 address captured at various instances in 

       while(<$ts>) {
    chomp;
    my ($src_addr,$src_port,$dst_addr,$dst_port,$mss) = split /\t/;
    print "$src_addr:$src_port -> $dst_addr:$dst_port  MSS=$mss\n";
}

      [download]

      Protocol captured in a example frame

      [Protocols in frame: eth:ip:gre:mpls:pwethheuristic:pwethnocw:eth:vlan
+:ip:gre:eth:vlan:ipv6:icmpv6]

      [download]

      Complete example frame with source and destination address's modified

      Frame 3: 198 bytes on wire (1584 bits), 198 bytes captured (1584 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 17, 2014 10:28:30.759871000 Western Daylight Tim
+e
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1403015310.759871000 seconds
    [Time delta from previous captured frame: 0.120287000 seconds]
    [Time delta from previous displayed frame: 0.120287000 seconds]
    [Time since reference or first frame: 0.599182000 seconds]
    Frame Number: 3
    Frame Length: 198 bytes (1584 bits)
    Capture Length: 198 bytes (1584 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:gre:mpls:pwethheuristic:pwethnocw:eth:
+vlan:ip:gre:eth:vlan:ipv6:icmpv6]
Ethernet II, Src: Cisco_00:00:00 (00:00:00:00:00:00), Dst: Vmware_11:1
+1:11 (11:11:11:11:11:11)
    Destination: Vmware_11:11:11 (11:11:11:11:11:11)
        Address: Vmware_11:11:11 (11:11:11:11:11:11)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Source: Cisco_00:00:00 (00:00:00:00:00:00)
        Address: Cisco_00:00:00 (00:00:00:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 3.3.3.3 (3.3
+.3.3)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; 
+ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0010 00.. = Differentiated Services Codepoint: Class Selector 
+1 (0x08)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN
+-Capable Transport) (0x00)
    Total Length: 184
    Identification: 0xd1a9 (53673)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: GRE (47)
    Header checksum: 0x3f36 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 1.1.1.1 (1.1.1.1)
    Destination: 3.3.3.3 (3.3.3.3)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Generic Routing Encapsulation (MPLS label switched packet)
    Flags and Version: 0x0000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...0 .... .... .... = Sequence Number Bit: No
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: MPLS label switched packet (0x8847)
MultiProtocol Label Switching Header, Label: 902, Exp: 0, S: 1, TTL: 2
+55
    0000 0000 0011 1000 0110 .... .... .... = MPLS Label: 902
    .... .... .... .... .... 000. .... .... = MPLS Experimental Bits: 
+0
    .... .... .... .... .... ...1 .... .... = MPLS Bottom Of Label Sta
+ck: 1
    .... .... .... .... .... .... 1111 1111 = MPLS TTL: 255
Ethernet II, Src: Cisco_00:00:00 (00:00:00:00:00:00), Dst: AlcatelL_22
+:22:22 (22:22:22:22:22:22)
    Destination: AlcatelL_22:22:22 (22:22:22:22:22:22)
        Address: AlcatelL_22:22:22 (22:22:22:22:22:22)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Source: Cisco_00:00:00 (00:00:00:00:00:00)
        Address: Cisco_00:00:00 (00:00:00:00:00:00)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1198
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = CFI: Canonical (0)
    .... 0100 1010 1110 = ID: 1198
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 2.2.2.2 (2.2.2.2), Dst: 4.4.4.4 (4.4
+.4.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xb0 (DSCP 0x2c: Unknown DSCP; ECN:
+ 0x00: Not-ECT (Not ECN-Capable Transport))
        1011 00.. = Differentiated Services Codepoint: Unknown (0x2c)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN
+-Capable Transport) (0x00)
    Total Length: 138
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 61
    Protocol: GRE (47)
    Header checksum: 0xa2dd [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 2.2.2.2 (2.2.2.2)
    Destination: 4.4.4.4 (4.4.4.4)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Generic Routing Encapsulation (Transparent Ethernet bridging)
    Flags and Version: 0x0000
        0... .... .... .... = Checksum Bit: No
        .0.. .... .... .... = Routing Bit: No
        ..0. .... .... .... = Key Bit: No
        ...0 .... .... .... = Sequence Number Bit: No
        .... 0... .... .... = Strict Source Route Bit: No
        .... .000 .... .... = Recursion control: 0
        .... .... 0000 0... = Flags (Reserved): 0
        .... .... .... .000 = Version: GRE (0)
    Protocol Type: Transparent Ethernet bridging (0x5555)
Ethernet II, Src: Apple_33:33:33 (33:33:33:33:33:33), Dst: IPv6mcast_4
+4:44:44:44 (44:44:44:44:44:44)
    Destination: IPv6mcast_44:44:44:44 (44:44:44:44:44:44)
        Address: IPv6mcast_44:44:44:44 (44:44:44:44:44:44)
        .... ..1. .... .... .... .... = LG bit: Locally administered a
+ddress (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multica
+st/broadcast)
    Source: Apple_33:33:33 (33:33:33:33:33:33)
        Address: Apple_33:33:33 (33:33:33:33:33:33)
        .... ..0. .... .... .... .... = LG bit: Globally unique addres
+s (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (un
+icast)
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 102
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = CFI: Canonical (0)
    .... 0000 0110 0110 = ID: 102
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::6666:44ff:fe00:4444 (fe80::666
+6:44ff:fe00:4444), Dst: ff00::00 (ff00::00)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" pos
+sible: 6]
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x0000000
+0
        .... 0000 00.. .... .... .... .... .... = Differentiated Servi
+ces Field: Default (0x00000000)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transpor
+t (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 56
    Next header: IPv6 hop-by-hop option (0)
    Hop limit: 1
    Source: fe80::6666:44ff:fe00:4444 (fe80::6666:44ff:fe00:4444)
    [Source SA MAC: Apple_33:33:33 (33:33:33:33:33:33)]
    Destination: ff00::00 (ff00::00)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
    Hop-by-Hop Option
        Next header: ICMPv6 (58)
        Length: 0 (8 bytes)
        IPv6 Option (PadN)
            Type: PadN (1)
            Length: 0
            PadN: <MISSING>
        IPv6 Option (Router Alert)
            Type: Router Alert (5)
            Length: 2
            Router Alert: MLD (0)
Internet Control Message Protocol v6
    Type: Multicast Listener Report Message v2 (143)
    Code: 0
    Checksum: 0xc46c [correct]
    Reserved: 0000
    Number of Multicast Address Records: 2
    Multicast Address Record Changed to exclude: ff02::2:ff33:333
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::2:ff33:333 (ff02::2:ff33:333)
    Multicast Address Record Changed to exclude: ff02::1:ff44:4444
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::1:ff44:4444 (ff02::1:ff44:4444)

      [download]

      Thank you

    		[reply]
    [d/l]
    [select]
    Re^6: filter tcpdump packets
    by syboar (Novice) on Sep 04, 2014 at 15:18 UTC
    		[reply]

    In Section Seekers of Perl Wisdom

    Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Domain Nodelet?

    www.com | www.net | www.org
    Node Status?
    node history
    Node Type: note [id://1099389]
    help
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this?Last hourOther CB clients
    Other Users?
    Others taking refuge in the Monastery: (12)
    As of 2024-04-23 08:42 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found